From 587655ff41f10d2c275cbbccfa33e19bb8006c1e Mon Sep 17 00:00:00 2001
From: Jason Riordan <jriordan001@gmail.com>
Date: Thu, 23 Feb 2017 23:19:29 -0500
Subject: mofd: more selinux

* relabel /config at boot
* allow apps using houdini access to cpuinfo
* allow apps to use ffmpeg
* allow asus_config to set all teh propz

Change-Id: Iedb815d693ce4686a9bf76bde92d33df775cd719
---
 rootdir/etc/init.mofd_v1.rc | 1 +
 sepolicy/asus_config.te     | 2 ++
 sepolicy/rootfs.te          | 1 +
 sepolicy/untrusted_app.te   | 4 ++++
 4 files changed, 8 insertions(+)
 create mode 100644 sepolicy/rootfs.te
 create mode 100644 sepolicy/untrusted_app.te

diff --git a/rootdir/etc/init.mofd_v1.rc b/rootdir/etc/init.mofd_v1.rc
index fbf3f71..1b5bc9a 100644
--- a/rootdir/etc/init.mofd_v1.rc
+++ b/rootdir/etc/init.mofd_v1.rc
@@ -206,6 +206,7 @@ on post-fs
     chown system system /sys/devices/platform/bcove_bcu/camflash_ctrl
     symlink /sys/devices/platform/bcove_bcu /dev/bcu
 
+    restorecon /config
     restorecon_recursive /factory
     restorecon_recursive /config
     restorecon_recursive /logs
diff --git a/sepolicy/asus_config.te b/sepolicy/asus_config.te
index 969be56..3bdb2cf 100644
--- a/sepolicy/asus_config.te
+++ b/sepolicy/asus_config.te
@@ -7,6 +7,8 @@ set_prop(asus_config, audio_prop)
 set_prop(asus_config, asus_prop)
 set_prop(asus_config, config_prop)
 set_prop(asus_config, radio_prop)
+set_prop(asus_config, ctl_default_prop)
+set_prop(asus_config, ctl_rildaemon_prop)
 
 allow asus_config config_file:dir search;
 allow asus_config config_file:file rw_file_perms;
diff --git a/sepolicy/rootfs.te b/sepolicy/rootfs.te
new file mode 100644
index 0000000..7cfb964
--- /dev/null
+++ b/sepolicy/rootfs.te
@@ -0,0 +1 @@
+allow rootfs labeledfs:filesystem associate;
diff --git a/sepolicy/untrusted_app.te b/sepolicy/untrusted_app.te
new file mode 100644
index 0000000..5f21d49
--- /dev/null
+++ b/sepolicy/untrusted_app.te
@@ -0,0 +1,4 @@
+allow untrusted_app asus_tee_device:chr_file rw_file_perms;
+allow untrusted_app system_file:file execmod;
+allow untrusted_app cpuinfo_file:file { mounton };
+allow untrusted_app cpuinfo_file:file r_file_perms;
-- 
cgit v1.2.3